State Privacy & AI News - 1/24

Welcome to The Patchwork Dispatch, a fortnightly newsletter that brings you the top 5 recent developments in consumer privacy and AI legislation, regulation, and enforcement from across the U.S. states. Over 45 states have entered their regular legislative sessions so we are in the thick of the lawmaking cycle now. Let’s dive on in…

1. New York Passes Sweeping Health Privacy Law Raising Significant Operational Challenges?

In the first big state privacy development (and surprise) of 2025, the New York legislature rushed to pass the New York Health Information Privacy Act (S929) with a 49-10 vote in the Senate and a 95-41 vote in the Assembly. NYHIPA will now move to Governor Hochul’s desk who will likely have the ability to further revise the framework through the Chapter Amendment process.

NYHIPA is of similar scale and scope to Washington State’s landmark My Health, My Data Act (2023), but has numerous divergences in definitions and substantive requirements that, as currently drafted, would pose “highly disruptive and costly implications” for companies that use personal health information.

In terms of covered data, NYHIPA would govern information processed in “connection with” the physical or mental health of an individual. NYHIPA is broader the MHMD because it does not clearly exclude employee data, data used for public interest research, or GLBA-regulated data which would sweep in many companies involved in payment processing. However, NYHIPA also does not include a MHMD-style list of specific categories of information that will be considered health information, meaning data like “biometric information” which is regulated under MHMD may escape the scope of NYHIPA (unless specifically used for a health purpose).

MHMD famously has a two-tier consent framework: opt-in consent for non-”necessary” processing and a heightened form of “valid authorization” for any sales of consumer health data. In contrast, NYHIPA permits “strictly necessary” data processing (a more restrictive standard but available for a somewhat broader list of permissible purposes) but then requires highly prescriptive “valid authorization” for any other health data processing. The valid authorization standard appears unique to New York, requiring extensive disclosures, a signature from the data subject, and must occur at least 24 hours after a business's initial contact with a consumer.

The NYHIPA creates consumer rights to access, delete, and revoke authorization for data processing, but even these provisions will raise challenges. Significantly, NYHIPA does not establish a framework for verifying consumer requests, creating the possibility that consumer rights will become an attack vector for service disruption or theft of sensitive information. The Act further requires that access and deletion requests be completed within (a comparatively short) 30 day window, but provides that revoking authorization should cause processing to “immediately cease” which is likely to be highly impractical given the ways that data is stored, processed, and backed up (comparable laws provide a 15 day window to revoke consent).??

In addition to these major operational issues that may impede access to health services in New York, in its current form, NYHIPA also raises potential constitutional infirmities. Unlike the vast majority of U.S. consumer privacy laws NYHIPA includes no carve-out for publicly available data - implicating First Amendment questions. Furthermore, instead of seeking to protect solely New York residents, NYHIPA also appears to cover residents who physically enter New York and potentially data of non-New Yorkers that is processed or accessed from within New York, which could form the basis for a challenge under the Dormant Commerce Clause.

2. New Age-Appropriate (Online) Design Code Framework Introduced in Nebraska

In the ongoing child online safety debates, Republican lawmakers have typically prioritized age-verification and -gating requirements for particular types of platforms (e.g. adult content sites, social media) while Democrats have more frequently advanced broader internet-wide proposals to regulate how businesses design their services in order to mitigate risks, often in the form of Age-Appropriate Design Codes (AADC). To date, two U.S. states have passed significantly diverging “Age-Appropriate Design Code” laws - California and Maryland, though both face open questions (and in the case of California, litigation) about their constitutionality, albeit for somewhat different reasons.?

In this context, it is noteworthy that the Republican Governor and Attorney General of Nebraska have launched, as part of a larger child safety package, a new-look Age Appropriate [Online] Design Code Act with bipartisan support in the state legislature. LB504 would establish a “duty of care” for businesses to “prevent” identified harms to minors under age 18 such as compulsive usage, severe emotional distress, discrimination, and severe psychological harm. Nebraska's approach differs from prior AADC frameworks in various ways, most notably, by requiring companies to publicly demonstrate compliance through independent third-party audits, rather than to complete risk assessments. It would also require companies to provide tools to enable parents to “prevent artificial intelligence from utilizing personal data to communicate or interact" with a user.

Fortunately, the Nebraska bill does appear to address the Maryland AADC’s “Luigi’s Mansion” problem which, if read literally, appears to ban child and teen accounts in Maryland.

3. Making Sense of Massachusetts

We are fast approaching a critical mass-achusetts of privacy bills in the Bay State. Massachusetts is at the outset of a 2-year state legislative cycle and legislation is being filed hand over fist. Historically, unique and far-reaching privacy bills have gained committee-level traction in Massachusetts but failed to advance from their chambers. This year, there are so many privacy bills active in Massachusetts, we’ve decided to solely cover the comprehensive framework (though to be fair, many of these are re-files):

• The Massachusetts Information Privacy and Security Act (SD 2355): This is a unique proposal that incorporates elements of many different privacy frameworks. This includes California-style definitions and consumer rights, WPA-style business obligations, an Ohio-style breach litigation safe harbor, and a GDPR’s “lawful basis” for processing model.
• The Massachusetts Data Privacy Act (SD 267; SD 495; HD 2110): These bills all appear modeled on the proposed federal American Data Privacy and Protection Act of 2022 which contained a unique “Duty of Loyalty” establishing a list of permissible processing purposes.
• The Massachusetts Consumer Privacy Act (HD 2135): This appears to be the first state bill based on the EPIC/Consumer Reports model privacy bill. This framework would ban targeted advertising based on a wide range of “sensitive data” and includes a data minimization standard that limits processing activities to what is reasonably necessary to provide a specifically requested product or service or for communications that can be reasonably anticipated.
• The Internet Bill of Rights (HD 1679): This bill is essentially the European Union’s General Data Protection Regulation.
• The Massachusetts Neural Data Privacy Protection Act (HD 4127): Despite the title, this is a ADPPA-inspired comprehensive privacy bill with explicit call outs for protecting neural data.
• The Comprehensive Massachusetts Consumer Data Privacy Act (SB 2520; HD 4073): In contrast to the previous bills, this is a very standard Connecticut-style privacy framework.

When you have six distinct comprehensive consumer privacy frameworks, do you really have any? Time will tell for Massachusetts.

4. A Re-emergence for the Virginia Approach?

Year upon year, California-inspired comprehensive privacy bills have been introduced in both Oklahoma and Mississippi but failed to advance (and in many cycles, even move). This year, proposals closely aligned with the Virginia Consumer Data Protection Act (2021) have been introduced for the first time in the upper chamber of both states - Oklahoma (SB 546) and Mississippi (SB2500).

It is too early to guess whether either new proposal will gain traction. However, one can’t help but recall the situation in Kentucky last year, where a privacy framework containing significant divergences from the overall state landscape was worked on over multiple cycles, but ultimately a more familiar Virginia-style bill was introduced and enacted in the course of a single session.

5. Texas Brings Lawsuit under the TDPSA

A significant milestone in the emergence of the comprehensive state privacy landscape occurred on on Monday, January 13th as the Texas Attorney General's Office filed suit against Arity primarily alleging deficient processes for obtaining opt-in consent under the Texas Data Privacy and Security Act. State regulators have frequently used their privacy laws' ‘right to cure’, and three settlements (in California) have been reached, but this is the first instance of a regulator filing public suit under a U.S comprehensive consumer privacy statute.

The case alleges that Arity paid app developers to use mobile SDKs to collect “trillions of miles worth” of location and driving behavior data on over 45 million Americans, which was monetized in various ways, including through determining insurance prices. The AG alleged this data collection and processing occurred without required notice or consent for the collection of sensitive data under the TDPSA. ?

There are a couple interesting nuggets in the filing, including an allegation that Arity only sought to partner with apps that already collect location data to properly function (no analogy to the classic flashlight app selling location data example here). The Texas AG also cites to new FTC Chair Andrew Ferguson's recent opinion in the Gravy Analytics settlement which argued that the sale of precise location data without consent poses an unavoidable and substantial risk of injury for the purpose of an FTC Act Section 5 charge.

As always, thanks for stopping by.

Keir Lamont is Senior Director for U.S. Legislation at the Future of Privacy Forum